Homeland Security Secretary Alejandro Mayorkas on Monday announced his department's initial steps to further strengthen the nation's cyber security posture in line with the Biden administration's commitment to prioritize cyber security, including requiring recipients of federal emergency grants to spend more of the funds on cyber security.
"Cyber security is more important than ever, and we will build on the department's excellent work as we transform our whole-of-government approach to tackle the challenge we face as a nation," Mayorkas said in a statement. "This week is just the beginning of a series of actions DHS will pursue nationally and international to improve cyber security at all levels."
The steps outlined by Mayorkas include raising the minimum requirement for recipients of Federal Emergency Management Agency grants to spend on cyber security, and directing the Cybersecurity and Infrastructure Security Agency (CISA) to examine new grant programs to help state and local governments bolster their cyber security.
This Thursday, Mayorkas also will "issue a call to action to build a diverse cyber security workforce and leverage DHS's partnerships to tackle the growing risk from ransomware," DHS said. The secretary will also push CISA's new "Reduce the Risk of Ransomware" effort launched in January to work with, and encourage, the private and public sector to reduce ransomware risk. DHS will also leverage the Secret Service's Cyber Fraud Task Forces to response to ransomware incidents and arrest perpetrators of this activity.
"Ransomware is a cyber pandemic that paralyzes cities, companies, and hospitals across the country," DHS said. It added that "Tackling ransomware will require partnering with private organization, state, local, tribal and territorial entities–the hallmark of DHS's approach to cyber security."
In the coming weeks, Mayorkas will also further discuss how DHS will support its partners in better managing their cyber risks and security, and engage with foreign partners to strengthen international collaboration on cyber security.
Mayorkas' announcement coincided with comments made by the new chief executive of the network management software company SolarWinds [SWI] on how the government can better work with the private sector to improve national cyber security. A key reason for President Joe Biden's prioritization of cyber security was the discovery in December of a significant breach of federal, state and local, and private sector networks likely by sophisticated Russian hackers using novel techniques that allowed the perpetrators to move around undetected for at least a year.
At least one of the vectors for the breach is a network management platform supplied by SolarWinds called Orion. It was through patches or updates to Orion that the hackers were able to exploit some of the company's customers' networks.
Sudhakar Ramakrishna, president and CEO of SolarWinds, outlined three areas the government can improve, including having a single point of contact in the government for industry to report cyber incidents. That government organization can then share the incident data with other federal agencies, he said during a discussion with him hosted by Suzanne Spaulding, a senior adviser with the Center for Strategic and International Studies and the head of CISA's predecessor agency during the Obama administration.
Having a simpler reporting structure for industry will help, Ramakrishna said. Currently, SolarWinds deals with "multiple government agencies," which is time consuming "in fighting these attacks," he said.
"What is clear with these attacks is that no single enterprise, how large or how many resources you may have, or a single government can completely identify and protect and kill these attacks that continue to emanate," he said. "So, there's a need for a tighter public-private partnership."
Since joining SolarWinds on Jan. 4, Ramakrishna said the company's engagements with the government on the hacking incident have been "broadly constructive if not always completely informational," adding that the company has been very proactive in sharing information with "national defenders."
So far, the hack is largely thought of to be for espionage purposes but the Biden administration and cyber security experts have warned that the intrusion could become disruptive.
A second area of action that could be improved by the federal government is collaboration with the private sector to enhance existing standards and best practices for cyber security.
The need is for "excellence focused versus compliance focused," he said, "because a lot of us can pass through the check boxes of, ‘Did you do this? Did you do that?' But obviously the results prove that we need to do more."
The third area is around government incentives and protections for companies to share when their networks have been compromised, Ramakrishna said. Regulations to limit liability and punitive concerns will "comfort" companies to quickly alert authorities that they've been hacked, he said.
Ramakrishna pointed to last year's Cyberspace Solarium Commission report on the need for "speed and agility" in responding to network breaches as a key ingredient for a more fruitful response.
Regarding liability concerns, Ramakrishna said that SolarWinds has discussed the topic but it isn't "top of mind." More important is the need to share information so that the threat is understood and lessons can be learned, he said.
Ramakrishna will have plenty of opportunities this week to impress on Congress how the federal government can better work with the private sector. On Tuesday he will appear before the Senate Intelligence Committee and again on Friday before the House Homeland Security Committee to discuss the ongoing breach.
Reps. Bennie Thompson (D-Miss.) and Yvette Clarke (D-N.Y.), the chairs of the House Homeland Security Committee and its Cybersecurity Subcommittee, respectively, on Monday issued a statement saying they are "encouraged" with the initial steps that Mayorkas is planning to help state and local governments with their cyber security needs.
The two Democrats said they are planning to reintroduce the State and Local Cybersecurity Improvement Act, which would establish within DHS a grant program for state, local, tribal and territorial governments to address cyber security risks and states.